Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WWW IIS Double Decode Error

Hello all,

I have been getting hundreds of the WWW IIS Double Decode Error,without any real positives coming out of it. It seems as if Inbox from Excite, MSN, Hotmail, etc generates those errors, and it's a pain in the rear to have to examine each for possible positives. I read the NSDB entry on it, and don't see how they could be detecting this as an alarm. Any comments?

Signature is 5124/0

5 REPLIES
New Member

Re: WWW IIS Double Decode Error

What version are you running? There are known false positives for S5 and below for this signature. If you update to S6 or S7 you should not have this problem.

New Member

Re: WWW IIS Double Decode Error

I have 3.0(1)S6 on all Sensors as well as 2.2.3(S6) on the Unix Director...

Cisco Employee

Re: WWW IIS Double Decode Error

I just looked and this fix dit not make it into S6, but is in S7 which is now on CCO (should be today). It is also accessible from the following location:

ftp://ftp-eng.cisco.com/csids-sig-updates/S7/IDSk9-sig-3.0-1-S7.bin ftp://ftp-eng.cisco.com/csids-sig-updates/S7/IDSk9-sig-3.0-1-S7.readme

Cisco Employee

Re: WWW IIS Double Decode Error

It is possible that there are still unknown benign triggers for this signature. Could you please email me directly a few examples of your logfile entries. By examining the context of the alarm we should be able to tune the signature for a future release. Our first tuning should have eliminated legitimate traffic that was using the double deobfuscation in the arguments of a url. Perhaps people are using this elswhere legitimately. My e-mail is klwiley@cisco.com.

New Member

Re: WWW IIS Double Decode Error

klwiley:

Okay, I'll go turn the signature back on (I had to demote it to a Level 1 alarm to avoid having to delete 100 of them every 5-10 minutes... it was that bad!)

I then will send you copies of the log files.

Brenden

120
Views
0
Helpful
5
Replies